Re: Problem upgrading to 9.18 - important feature being removed

Hi Ondřej, > On 27. Feb 2024, at 16:43, Ondřej Surý wrote: > > Carsten, could you please fill a feature request in the GitLab? Done, #4606. Greetings Carsten -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this

Re: Problem upgrading to 9.18 - important feature being removed

Hi Jim, > On 27. Feb 2024, at 16:39, Jim P. via bind-users > wrote: > > There should also be an option to display the current configuration in > specific detail to easily create a new KASP (side question: why does DNS > need a new acronym?) The term “KASP” for “Key-and-signing-policy” has

Re: Problem upgrading to 9.18 - important feature being removed

Hi Matthijs, On 27 Feb 2024, at 15:54, Matthijs Mekking wrote: > - When migrating to dnssec-policy, make sure the configuration matches your > existing keys. the most problems I've seen so far have to do with this step: admins "think" they have created a configuration that matches the current

Old ZSK refuses to retire

Hi, I have a situation where in a BIND 9 zone with dnssec-policy and inline-signing, after a ZSK rollover, the (old) ZSK is refusing to retire. Although the timing metadata shows the retire and deletion dates in the past, the ZSK is still in the zone and is signing the records (along with the

KASP: sharing policy and keys between views

DNSSEC signed split horizon setup? Greetings Carsten Strotmann -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

Re: DNSTAP overload condition logging

Hi Chris, Chris Buxton writes: [[PGP Signed Part:Undecided]] Hi Carsten, From our reading of the code, it appears that when the buffer fills up, it refuses to accept new entries. Older events are not overwritten, but newer events are refused. The fstrm_iothr_submit() function can return

DNSTAP overload condition logging

Hi, how can a BIND 9 operator detect an DNSTAP overload condition? My understanding is that BIND 9 worker threads write DNSTAP information into a circular buffer in memory, which is that read by a different thread to write out the data (to file or socket). Is there any indication to the

Re: How to measure use of forwarders?

Hello Richard, "Parkin, Richard (R.)" writes: Hello! We recently re-addressed some of our external-facing cache servers into a new network and discovered that our IPs appear to be blackholed going to certain third-party auth servers, either intentionally or unintentionally. Our

Status of zytrax.com "DNS for Rocket Scientists" website

Hi, does anyone know about the status of the zytrax.com website and the excellent "DNS for Rocket Scientists" guide? The webpage first had a x509 certificate error (expired) in December 2020 and now the web server is unreachable. I (and colleagues) have tried to reach Ron Aitchison by mail

Re: Wildcard DNS records

Hello Stefano, Chiesa, Stefano writes: > Hello all. > I manage several BIND 9.10.4-P8 servers with more of less 600 DNS zones. > Anyway I never used wildcard DNS record and I hope you can help me to > understand. > > The need is: > * I have a dns zone i.e.

Re: TLD Registries supporting RFC 7344/8078

Hello Stephane, Stephane Bortzmeyer <bortzme...@nic.fr> writes: > On Tue, Mar 13, 2018 at 10:52:50AM +0100, > Carsten Strotmann <c...@strotmann.de> wrote > a message of 19 lines which said: > >> is automatic DNSSEC Delegation Trust Maintenance (RFC 7344/8078)

TLD Registries supporting RFC 7344/8078

Hi, is automatic DNSSEC Delegation Trust Maintenance (RFC 7344/8078) already support at the TLD level somewhere? I know it is implemented in BIND 9.11+ and Knot, but can it be used in the real Internet :) I searched the usual places but cannot find any information indicating support at TLD

Re: SOA Minimum comment in "dig" output

Hi, here is a question I've got during a DNS training, and I still do not have a good answer: RFC 2308 "DNS NCACHE" defines the last field of the SOA RR as "the TTL of negative responses". ; << DiG 9.10.3-P4-Ubuntu << +noall +answer +multi +cmd soa example.com ;; global options:

BIND 9.10 IPv6 performance

Hi, I'm doing some performance tests on some modern Haswell CPU machines (20 cores) using Ubuntu Linux 14.04 (Kernel 3.13.0-46-generic) using BIND 9.10.1-P2 compiled with --with-tuning=large. With using 8 worker threads I get near 400K QPS via IPv4 UDP (from a hot cache without resolving), which

Re: size limit on RDATA in nsupdate

Hello Shumon, Shumon Huque shu...@gmail.com writes: On Sat, Feb 21, 2015 at 7:35 AM, Carsten Strotmann c...@strotmann.de wrote: Hi, I'm trying to build an automated update system for OPENPGPKEY records with BIND 9 9.9.6-P2 and nsupate. I've verified the TSIG keys, I can add

Re: size limit on RDATA in nsupdate

). -- Carsten Strotmann Email: c...@strotmann.de Blog: strotmann.de ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind

Re: size limit on RDATA in nsupdate

Addition: this is how the nsupdate line for the record looks like add f437b55d4fb40f93bbfa04802a6a2bcf8b69d5ee93d1b53259e6e4fc._openpgpkey.sys4.de. IN TYPE61 \# 3340 99020d[] The RDATA size after \# seems to be correct. -- Carsten Strotmann Email: c...@strotmann.de Blog: strotmann.de

size limit on RDATA in nsupdate

this be an buffer issue? -- Carsten Strotmann Email: c...@strotmann.de Blog: strotmann.de ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org

Re: Bind and ZSK-Rollovers: Changing salt automatically?

. Could you give a link to additional information or could you explain the issue with NSEC3 salt in other words? Best regards Carsten -- Carsten Strotmann Email: c...@strotmann.de Blog: strotmann.de ___ Please visit https://lists.isc.org/mailman/listinfo

Re: Bind and ZSK-Rollovers: Changing salt automatically?

-generating all RRSIGs is not a problem), I would recommend to roll the salt in the same intervals, but independent from the ZSK rollover. -- Carsten Strotmann Email: c...@strotmann.de Blog: dnsworkshop.org ___ Please visit https://lists.isc.org/mailman/listinfo

Re: DNS slave not synced after successfully zone transfer

-P2.x64.zip -- Carsten Strotmann Email: c...@strotmann.de Blog: dnsworkshop.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org

Re: Can someone please translate entries from query.log file?

/9.9.3-P2/ Best regards Carsten -- Carsten Strotmann Email: c...@strotmann.de Blog: strotmann.de ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https

Re: What means -EDC in bind9 logs ?

Jean-François Leroux leroux.jeanfranc...@gmail.com writes: Hi, must be a stupid question but I hadn't noticed before that some queries in my server are labelled like that query IN A -ED (or EDC, or EC) What does this mean ? you'll find the documentation for query-log entries

Re: All client resolvers support DNSSEC compatible queries ???

Hello Jeronimo, Jeronimo L. Cabral jelocab...@gmail.com writes: Dear, we have several hosts in our LAN that ask our BIND DNS: Debian, Windows 7, Red Hat and CentOS. If we implement DNSSEV validation support in our BIND9 server...how can I know if our hosts' resolvers are compatible with

Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

Hello Evan, Evan Hunt e...@isc.org writes: On Thu, Mar 06, 2014 at 11:34:45AM +0100, Carsten Strotmann wrote: there could be a hard-link from a name like tsig-keygen to dnssec-keygen which changes the type of key created to -n HOST. That would not require any change to the existing interface

Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

Hi Evan, Evan Hunt e...@isc.org writes: On Thu, Mar 06, 2014 at 08:55:28AM +0100, Carsten Strotmann wrote: I agree that it might be nice to change dnssec-keygen to make the tool more userfriendly. The current state-of-things is because of historic developments in how DNSSEC came to birth

Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

Hello Evan, Evan Hunt e...@isc.org writes: there could be a hard-link from a name like tsig-keygen to dnssec-keygen which changes the type of key created to -n HOST. That would not require any change to the existing interface. Just an idea. Thanks, Carsten. I had actually had the same

Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen

Gaurav Kansal gaurav.kan...@nic.in writes: I was wondering if HMAC* keys are not used for zone then why the same is displayed when we use dnssec-keygen -h. the tool dnssec-keygen can be used to create both zone keys (with -n ZONE) for DNSSEC zone signing, and host keys (with -n HOST) for TSIG

Re: Monitoring Zonefiletransfer

Hi Markus, Markus Weber bumpemacve...@googlemail.com writes: Choose sane SOA values. refresh and retry expire I will check these values, i thought they were kind of standard values the default SOA values on a MS DNS Server are well and good for dynamic, internal, AD integrated DNS

Re: Non-responsive name servers when started during boot on OS X Mavericks 10.9

Hi Chris, Chris Buxton cli...@buxtonfamily.us writes: I’d bet that the package from Men Mice includes this script or an equivalent workaround. When I wrote the original script I wrote about above, I worked at Men Mice. Your script or the sleep timer is not in the package anymore, but maybe

Re: Allow recursion for esternal resources in a authoritative zone on a not open dns server

to configure in BIND, only you need a BIND DNS Server acting as a cache server. A client should never directly talk to a authoritative (only) DNS Server. It should always go through an intermediate caching. Best regards Carsten Strotmann Chiesa Stefano stefano.chi...@wki.it writes: Hello all. I

Re: MAcOS X 10.9 upgrade removes BIND

Hi Sean, Sean Channel schan...@isc.org writes: Thanks for the MM package, this is fantastic! On the critical side, the package BOM only lists an extinct tarball instead of the actual files and directories in the package. Just a nit pick, apologies: yes, that is a historical artifact from

Re: Upgrade Bind documentation

servers. named -V gives you the compile switches used to compile your current BIND. If you use the very same switches during compiling 9.8.6, you should get a new BIND that matches your existing setup and is a drop-in replacement. Best regards Carsten Strotmann

Re: Upgrade Bind documentation

Eduardo Bonsi beart...@pacbell.net writes: Menandmice have some pre-compiled packages updates for these systems. http://support.menandmice.com/download/bind/ GNU-kfreebsd/ illumian/ kGNUfreebsd/ linux/ macosx/ solaris/ (as the one compiling the BIND packages @ Men Mice):

MAcOS X 10.9 upgrade removes BIND

other users, but I need to confirm this on a lab environment. The Men Mice BIND MacOS X installers at currently fail on MacOS X 10.9, because /var/named is not there. I'm working on updating the Men Mice packages to work on MacOS X 10.9. Best regards Carsten Strotmann

Re: MAcOS X 10.9 upgrade removes BIND

. Please report any issues with this installers to me. Best regards Carsten Strotmann Eduardo Bonsi beart...@pacbell.net writes: I want to confirm what Carsten said here; I just performed an upgrade from Snow Leopard, 10.6.8 one day before Yesterday. The upgrade itself went fine except for BIND

Re: Performance Tuning RHEL 5 and Bind

Hi, Kevin Darcy k...@chrysler.com writes: Are these queries mostly for names in an Active Directory domain? The default for Active Directory is for *every* Domain Controller to register NS records at the apex of the AD domain. Pretty soon, for any reasonably-sized AD infrastructure, all of

Re: chroot /var/run permissions

Hello John, jo...@primebuchholz.com writes: What I am I missing here? /var/named/var/run and /var/named/var/run/named have group write permissions, so it seems it *shouldn't* be complaining, and the resulting files should've been owned by named, shouldn't they? If you are running

Re: [users@httpd] webservers not responding properly after hardware change

Hi Normal, Norman Fournier nor...@normanfournier.com writes: ns2:~ norman$ apachectl -t Syntax OK ns2:~ norman$ apachectl restart launchctl: CFURLWriteDataAndPropertiesToResource (/System/Library/LaunchDaemons/org.apache.httpd.plist) failed: -10 ns2:~ norman$ apachectl start launchctl:

Re: [users@httpd] webservers not responding properly after hardware change

Hello Norman, Norman Fournier nor...@normanfournier.com writes: I posted this to httpd.apache.org but have not had any response, so I think it may be more related to BIND than DNS. Apologies for the cross-post. the information you give is not enough to debug the problem or even to have a

Re: [Architecture discussion] IPv6 and best practices for DNS naming and the MX/SMTP problem

. That is a good idea, for multiple reasons. I don't had time to prepare examples for my suggestions here, but I could come up with config examples if you would like to see them. Best regards Carsten Strotmann ___ Please visit https://lists.isc.org/mailman

Re: RSA warnings errors in 9.8.4

Hello Jay, Jay Ford jay-f...@uiowa.edu writes: I just upgraded BIND on a Linux-based server from 9.8.3-P3 to 9.8.4. I started getting a bunch of RSA_verify errors, as has been discussed on this list. Is there a 9.8 release which quells those messages, or is hacking the source

Re: Ubuntu 12.04 BIND 9.9.2-P1

error and then look for the next. Best regards Carsten Strotmann ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind

Re: zone files in bind-9.9

Hello Feng, Feng He fen...@nsbeta.info writes: I upgraded my BIND from 9.7 to 9.9. For BIND 9.7 all zone files under /var/cache/bind are clear textes. But under BIND 9.9 it seems the zone files are binary format. So how can we check the content of zone files now? you can use

Re: difference between default views in named_statistics.txt

output give you information how many queries are received for normal DNS zones (view _default) and the special build in zone (view _bind). Best regards Carsten Strotmann ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from

Re: rndc reconfig does not work

Hello Ben, benjamin fernandis benjo11...@gmail.com writes: Hi, As per my understanding, if we change anything in named.conf and then if we require to enable changes without service restart, we go with rndc reconfig. So i tried it but it does not work. rndc reconfig does only very

Re: nsupdate for default TTL

the dedicated TTLs on each individual resource record using the nsupdate tool. Best regards and a good new year! Carsten Strotmann ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users

Re: Query regarding 'UPDATE' field in log entries

need to configure the zone as a dynamic zone (using update-policy or allow-update statements). If the client is not in your own networks, someone in the remote network has (mis-)configured the client to be inside the test-zone.in domain. Best regards Carsten Strotmann

Re: Upstart job for BIND9

Hello Alexander, Alexander Gurvitz a...@net-me.net writes: Carsten, The script in my original question (it's in the P.S. at the bottom of my first mail) seem to work for me. Ahh, thanks, my Emacs was hiding that :) (I can't decide which one is better: bind.conf, bind9.conf or

Re: Performance tuning

is usually not the issue. Best regards Carsten Strotmann ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: User wanting to use a .local domain to host DNS

Phil Mayers p.may...@imperial.ac.uk writes: On 14/11/12 15:02, King, Harold Clyde (Hal) wrote: I'm a bit confused by a user request. I think he is trying to keep some hosts on the private side of DNS, but he wants to use a DNS name like host.sub.local. I do not know of the use of the .local

Re: ISC Bind in Active Directory

Hello Phil, Phil Mayers p.may...@imperial.ac.uk writes: On 10/24/2012 10:17 PM, Carsten Strotmann wrote: my experience is that it is safe to place clients in either a DNS domain with the same name as the AD domain, or in a subdomain of the AD domain. What does place mean, exactly

Re: Spotty Lookups on One of Our Networks

Hello Martin, Martin McCormick mar...@dc.cis.okstate.edu writes: I described a case where one of our remote campuses can't resolve a number of remote domains. One example is noaa.gov. It also successfully resolves random remote domains without seemingly any rime or reason. Here is a

Re: ISC Bind in Active Directory

Hello Aaron, Aaron Thompson athomp...@berklee.edu writes: I have little experience in the AD arena for DNS/DHCP. Without being a too loaded question, with your experience is it possible or common to have a very knowledgeable understanding of the performance and health of an AD system

Re: ISC Bind in Active Directory

it appear flat creates problems. -- Carsten Strotmann ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC Bind in Active Directory

. Pick you choice -- easy live vs. understanding and fun :) Carsten Strotmann Men Mice ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https

Re: Error Resolving / EDNS

Hello James, James Tingler james.ting...@contr.netl.doe.gov writes:   E.g.   Sep 17 15:32:01 PROD55-DNS2 named[27503]: error (network unreachable) resolving 'www.amazon.com/A/IN': 2610:a1:1017::1#53 Sep 17 15:32:08 PROD55-DNS2 named[27503]: error (network unreachable) resolving

Re: Error Resolving / EDNS

Hello James, James Tingler james.ting...@contr.netl.doe.gov writes: Thanks for the reply Carsten.  This didn't make a difference but potentially I'm using the parameter incorrectly (no errors though).   /etc/rc.d/init.d/named start -4   no, it does not work that way.

Re: BIND 9.6-ESV-R7-P3 is now available

Ayca Taskin (Garanti Teknoloji) ayc...@garanti.com.tr writes: Hi, Im using BIND 9.6.1-P3 and want to upgrade BIND 9.9.1-P3 on Solaris. What are your advices about upgrade and migration, to 9.9.1-P3, is there any guide for this? Whenever you upgrade to a new version of BIND (esp. when it

Re: install BIND on Mac OS X

pangj pa...@riseup.net writes: Thanks. bogon:~ pro$ named -v BIND 9.7.3-P3 This does have been installed. For a more recent version of BIND (9.8.x or 9.9.x), there are MacOS X installers of new versions at http://support.menandmice.com/download/bind/macosx/ -- Carsten

Re: Sunos 5.8 Error:EDNS not supported by your namesever

Ryan Novosielski novos...@umdnj.edu writes: FWIW, 9.6 ships with Solaris 10. current BIND release installer packages for Solaris 10 (Sparc and i86pc) can be found at http://support.menandmice.com/download/bind/solaris/ I'm also willing to build current BIND 9 packages for Solaris 8 or 9, but

Re: Version statement...

Jeff Justice listacco...@starionline.com writes: Hi Jeff, I am trying to mask our DNS servers version output to a custom string, but it doesn't seem to be working for me. In a nutshell, I have added this to my options block of my named.conf: version [DNS Server]; But when I do a

Re: security BIND

Hello Alberto, On Sat, 4 Aug 2012, Alberto Rasillo wrote: Hi what are recomendations regarding security and DNS service?Thnks it is difficult (impossible?) to answer such a generic question. Generic security advice for a DNS service: * read your DNS servers documentation carefully *

Re: Problem with DNSSEC signing zone

, but that is another issue). Best regards Carsten Strotmann ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: Operation Cancelled Error

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Ben, On 7/12/12 10:32 AM, Ben wrote: Still, my question is open.. I'm not from ISC, but I have an idea what causes this (but I'm not an authoritative source). You can look up the BIND source code. Every caching DNS Server (BIND or other

Re: BIND, DNSSEC AD

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello John, On 6/29/12 4:52 PM, John Williams wrote: The purpose behind this is not to protect the internal AD DNS from hijacking. But rather to allow internal clients to run DNSSEC related queries without having to reference external resolvers.

BIND, DNSSEC AD

Hello JT, I'm currently working on integrating MS DNSSEC (on Windows 2012) and BIND here @ Men Mice for another customer. I might have a solution for you, but I need more detail information about your setup. I will contact you by E-Mail on Monday (I hope that is not too late). -- Carsten

Re: Understanding cause of DNS format error (FORMERR)

: QUERY, status: FORMERR, id: 30679 ;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 I have no explanation of this issue at the moment. To my knowledge Google is using a homegrown DNS resolver, not BIND. Best regards Carsten Strotmann -BEGIN PGP SIGNATURE- Version

Re: Understanding cause of DNS format error (FORMERR)

IN A 207.46.55.10 ;; Query time: 37 msec ;; SERVER: 94.245.124.49#53(94.245.124.49) ;; WHEN: Sun Jun 24 10:00:54 2012 ;; MSG SIZE rcvd: 228 Having AD-Flag set on an non-DNSSEC zone might be a protocol violation, and that might be the cause of FORMERR. Best regards Carsten

Re: Understanding cause of DNS format error (FORMERR)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, On 6/24/12 10:07 AM, Carsten Strotmann (private) wrote: It might even be a new Windows 2012 DNS server, and it might be an issue with this new version. This is just speculation, but if it is an issue with Windows 2012 DNS, it might

Re: Understanding cause of DNS format error (FORMERR)

informed Microsoft about the issue. Best regards Carsten Strotmann -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/le38ACgkQsUJ3c

Re: Understanding cause of DNS format error (FORMERR)

rcvd: 60 If some other members of this mailing list also see the same FORMERR (I'm seeing it over IPv4+IPv6), that is is very likely a firewall or middlebox on the Microsoft side. Best regards Carsten Strotmann -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools

Re: MS AD 2008R2 and bind

from a test, and have not been properly removed when the IP addresses of the domain controller has been changed. Best regards Carsten Strotmann -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http

Re: rndc addzone|delzone

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 1/1/12 1:18 PM, DNSbed.com wrote: On Sun, 1 Jan 2012 13:05:41 +0100, Jan-Piet Mens jpmens@gmail.com wrote: Has anyone tried the new features of rndc addzone|delzone with BIND-9.7? Will the zone added|deleted get transfered between master

Re: rndc reload has no effect?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/31/11 8:09 AM, Ken Peng wrote: Today I setup a new name system, BIND 9.7.3 with multi-views, zone transfer are going based on different TSIG-Keys. I have found a strange problem that when I edited the zone file, anded a record, increased

Take your DNSSEC with a grain of salt ...

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, because it was a recurring question in the ISC/Men Mice DNSSEC trainings this year, I've taken some time to write down my knowledge on NSEC3 use of the salt and iteration parameters: